Personal data on about 2.2 million active-duty military, Guard and Reserve personnel — not just 50,000 as initially believed — were among those stolen from a Veterans Affairs employee last month, the government said Tuesday.
VA Secretary Jim Nicholson said the agency was mistaken when it said over the weekend that up to 50,000 Navy and National Guard personnel — and no other active-duty personnel — were affected by the May 3 burglary.
In fact, names, birth dates and Social Security numbers of as many as 1.1 million active-duty personnel from all the armed forces — or 80 percent of all active-duty members — are believed to have been included, along with 430,000 members of the National Guard, and 645,000 members of the Reserves.
"VA remains committed to providing updates on this incident as new information is learned," Nicholson said in a statement, explaining that it discovered the larger numbers after the VA and Pentagon compared their electronic files more closely.
His announcement came shortly after the Pentagon distributed a briefing memo to Congress — obtained by The Associated Press — that said the 50,000 figure cited over the weekend was understated.
The disclosure is the latest in a series of revisions by the government as to who was affected since publicizing the burglary on May 22. At the time, the VA said the stolen data involved up to 26.5 million veterans discharged since 1975, as well as some of their spouses.
It also came as a coalition of veterans' groups charged in a lawsuit against the federal government Tuesday that their privacy rights were violated by the theft. The class-action lawsuit, filed in U.S. District Court in Washington, is the second suit since the VA disclosed the burglary two weeks ago.
Veterans advocates immediately expressed outrage.
"The magnitude of this data breach is simply breathtaking and overwhelming," said Rep. Lane Evans, D-Ill., the top Democrat on the House Veterans' Affairs Committee. He called on the Government Accountability Office, Congress' investigative arm, to launch an investigation and get a full accounting.
"Instead of continuing to eke out the information, drip by drip, on an almost daily basis, adding to the list of those whose personal information is at risk, the Department of Veterans Affairs must get to the bottom of this now, fix the problem and put veterans' minds at ease," he said.
Joe Davis, a spokesman for Veterans of Foreign Wars, said the VA must come clean after three weeks of "this debacle."
"This confirms the VFW's worst fear from day one — that the loss of data encompasses every single person who did wear the uniform and does wear the uniform today," he said.
In the VA statement, Nicholson said the total number of military personnel affected by the theft — 26.5 million — remains unchanged.
The VA initially assumed its data would only include veterans, but upon closer investigation it realized it had records for active-duty personnel because they are eligible to receive certain VA benefits such as GI Bill educational assistance and the home loan guarantee program.
The VA previously has said that veterans discharged before 1975 might also be affected if they submitted claims.
The lawsuit filed Tuesday demands that the VA fully disclose which military personnel are affected by the data theft and seeks $1,000 in damages for each person — up to $26.5 billion total. The veterans are also seeking a court order barring VA employees from using sensitive data until independent experts determine proper safeguards.
"VA arrogantly compounded its disregard for veterans' privacy rights by recklessly failing to make even the most rudimentary effort to safeguard this trove of the personally identifiable information from unauthorized disclosure," the complaint says.
In response to the lawsuit, the VA said it is in discussions with credit-monitoring services to determine "how veterans and others potentially affected can best be served" in the aftermath of the theft, said spokesman Matt Burns.
Maryland authorities, meanwhile, announced they were offering a $50,000 reward for information leading to the return of the laptop or media drive taken during the May 3 burglary at a VA data analyst's home in Aspen Hill, Md.
Veterans groups have criticized the VA for a three-week delay in publicizing the burglary. The VA initially disclosed the burglary May 22, saying it involved the names, birth dates and Social Security numbers — and in some cases, disability codes — of veterans discharged since 1975.
Since then, it also has acknowledged after an internal investigation that the data could also include phone numbers and addresses of those veterans.
There have been no reports that the stolen data have been used for identity theft in what has become one of the nation's largest security breaches.
On Tuesday, the Montgomery County, Md., police department stepped up efforts to apprehend the burglars, asking the public to contact authorities if they recently purchased a used Hewlett-Packard laptop or HP external drive.
Anyone who purchased a used Hewlett Packard Laptop model zv5360us or HP external personal media drive after May 3 was asked to call Montgomery County Crime Solvers at 1-866-411-TIPS (8477). Anyone with the stolen equipment can turn it in anonymously and become eligible for the $50,000 reward, police said.
The five veterans' groups involved in the lawsuit are Citizen Soldier in New York; National Gulf War Resource Center in Kansas City; Radiated Veterans of America in Carson City, Nev.; Veterans for Peace in St. Louis; and Vietnam Veterans of America in Silver Spring, Md.
Separately, a Democratic activist also has sued the VA in federal court in Cincinnati.